Merge pull request #760 from gravitl/feature_v0.10.0_key_check

removed default master key and added warning log if not set

controllers/network_test.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"os"
 	"testing"
 	"time"
 
@@ -193,6 +194,7 @@ func TestSecurityCheck(t *testing.T) {
 	//these seem to work but not sure it the tests are really testing the functionality
 
 	database.InitializeDatabase()
+	os.Setenv("MASTER_KEY", "secretkey")
 	t.Run("NoNetwork", func(t *testing.T) {
 		err, networks, username := SecurityCheck(false, "", "Bearer secretkey")
 		assert.Nil(t, err)

controllers/security.go

@@ -98,9 +98,9 @@ func SecurityCheck(reqAdmin bool, netname string, token string) (error, []string
 	return nil, userNetworks, username
 }
 
-//Consider a more secure way of setting master key
+// Consider a more secure way of setting master key
 func authenticateMaster(tokenString string) bool {
-	return tokenString == servercfg.GetMasterKey()
+	return tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != ""
 }
 
 //Consider a more secure way of setting master key

controllers/server.go

@@ -49,7 +49,7 @@ func securityCheckServer(adminonly bool, next http.Handler) http.HandlerFunc {
 			returnErrorResponse(w, r, errorResponse)
 			return
 		}
-		if adminonly && !isadmin && !authenticateMasterServer(authToken) {
+		if adminonly && !isadmin && !authenticateMaster(authToken) {
 			returnErrorResponse(w, r, errorResponse)
 			return
 		}
@@ -57,11 +57,6 @@ func securityCheckServer(adminonly bool, next http.Handler) http.HandlerFunc {
 	}
 }
 
-//Consider a more secure way of setting master key
-func authenticateMasterServer(tokenString string) bool {
-	return tokenString == servercfg.GetMasterKey()
-}
-
 func removeNetwork(w http.ResponseWriter, r *http.Request) {
 	// Set header
 	w.Header().Set("Content-Type", "application/json")

logic/jwts.go

@@ -55,7 +55,7 @@ func CreateUserJWT(username string, networks []string, isadmin bool) (response s
 func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
 	claims := &models.UserClaims{}
 
-	if tokenString == servercfg.GetMasterKey() {
+	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
 		return "masteradministrator", nil, true, nil
 	}
 
@@ -79,7 +79,7 @@ func VerifyToken(tokenString string) (nodeID string, mac string, network string,
 
 	//this may be a stupid way of serving up a master key
 	//TODO: look into a different method. Encryption?
-	if tokenString == servercfg.GetMasterKey() {
+	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
 		return "mastermac", "", "", nil
 	}
 

main.go

@@ -41,6 +41,10 @@ func main() {
 func initialize() { // Client Mode Prereq Check
 	var err error
 
+	if servercfg.GetMasterKey() == "" {
+		logger.Log(0, "warning: MASTER_KEY not set, this could make account recovery difficult")
+	}
+
 	if servercfg.GetNodeID() == "" {
 		logger.FatalLog("error: must set NODE_ID, currently blank")
 	}

servercfg/serverconf.go

@@ -266,7 +266,7 @@ func GetMessageQueueEndpoint() string {
 
 // GetMasterKey - gets the configured master key of server
 func GetMasterKey() string {
-	key := "secretkey"
+	key := ""
 	if os.Getenv("MASTER_KEY") != "" {
 		key = os.Getenv("MASTER_KEY")
 	} else if config.Config.Server.MasterKey != "" {